本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
稽核帳戶中的 Amazon S3 儲存貯體政策
在 AWS Control Tower 中,只有在請求來自您的組織或組織單位 (OU) 時, AWS 服務才能存取您的資源。任何寫入許可必須符合aws:SourceOrgID條件。
您可以使用 aws:SourceOrgID 條件索引鍵,並在 Amazon S3 儲存貯體政策的條件元素中將 值設定為您的組織 ID。此條件可確保 CloudTrail 只能代表您組織內的帳戶將日誌寫入 S3 儲存貯體;其可防止組織外部的 CloudTrail 日誌寫入 AWS Control Tower S3 儲存貯體。
此政策不會影響您現有工作負載的功能。此政策會顯示在下列範例中。
S3AuditBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3AuditBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowSSLRequestsOnly Effect: Deny Principal: '*' Action: s3:* Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}" - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/*" Condition: Bool: aws:SecureTransport: false - Sid: AWSBucketPermissionsCheck Effect: Allow Principal: Service: - cloudtrail.amazonaws.com - config.amazonaws.com Action: s3:GetBucketAcl Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}" - Sid: AWSConfigBucketExistenceCheck Effect: Allow Principal: Service: - cloudtrail.amazonaws.com - config.amazonaws.com Action: s3:ListBucket Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}" - Sid: AWSBucketDeliveryForConfig Effect: Allow Principal: Service: - config.amazonaws.com Action: s3:PutObject Resource: - Fn::Join: - "" - - !Sub "arn:${AWS::Partition}:s3:::" - !Ref "S3AuditBucket" - !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"Condition: StringEquals: aws:SourceOrgID: !Ref OrganizationId- Sid: AWSBucketDeliveryForOrganizationTrail Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: s3:PutObject Resource: !If [IsAccountLevelBucketPermissionRequiredForCloudTrail, [!Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${Namespace}/*", !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${OrganizationId}/*"], !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"]Condition: StringEquals: aws:SourceOrgID: !Ref OrganizationId
如需此條件索引鍵的詳細資訊,請參閱 IAM 文件和名為「使用可擴展控制項存取 資源 AWS 的服務」的 IAM 部落格文章。
